Secure network file access control system
First Claim
1. A network storage architecture supporting securely controlled access and transfer of data between a client computer system and a network data store, said network storage architecture comprising:
- a) an agent program, executed on a client computer system, operative with respect to an application program, executable by said client computer system to access a network data store, to develop authentication data with respect to said application program; and
b) a network appliance, coupleable through a communications network to said client computer system, interoperable with said agent program to receive and validate said authentication data, said network appliance providing a response message to said agent program to control execution of said application program.
0 Assignments
0 Petitions
Accused Products
Abstract
A secure network file access appliance supports the secure access and transfer of data between the file system of a client computer system and a network data store. An agent provided on the client computer system and monitored by the secure network file access appliance ensures authentication of the client computer system with respect to file system requests issued to the network data store. The secure network file access appliance is provided in the network infrastructure with the client computer system and network data store to apply qualifying access policies to file system requests. The secure network file access appliance maintains an encryption key store and associates encryption keys with corresponding filesystem files to permit encryption and decryption of file data as transferred to and read from the network data store.
-
Citations
35 Claims
-
1. A network storage architecture supporting securely controlled access and transfer of data between a client computer system and a network data store, said network storage architecture comprising:
-
a) an agent program, executed on a client computer system, operative with respect to an application program, executable by said client computer system to access a network data store, to develop authentication data with respect to said application program; and
b) a network appliance, coupleable through a communications network to said client computer system, interoperable with said agent program to receive and validate said authentication data, said network appliance providing a response message to said agent program to control execution of said application program. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A network storage architecture supporting securely controlled access and transfer of data between a client computer system and a network data store, said network storage architecture comprising:
-
a) an agent program, executed on a client computer system, responsive to a source file request issued with respect to a network data store by an application program executed by said client computer system, said agent program being operative to develop authentication data with respect to said application program and to provide a file request message including a representation of said source file request and said authentication data; and
b) a network appliance, coupleable through a communications network to said client computer system and responsive to said file request message, said network appliance including a policy parser operative to evaluate said file request message and a policy data store including predetermined policy data accessible by said policy parser, said network appliance, responsive to the evaluation of said file request message, enabling performance of said source file request with respect to said network data store. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method of securing access by a client computer system to file data stored on a storage device accessible by said client computer system, said method comprising the steps of:
-
a) intercepting, by a first program as executed on a client computer system, a data transfer request issued by a second program, as executed on said client computer system, directed to a data file stored by a client accessible file data store;
b) first processing, by said first program, said data transfer request to associate authentication data with said data transfer request;
c) evaluating, by a security appliance coupled to said client computer system through a communications network, said data transfer request, said authentication data, and access control data corresponding to said data file to qualify said data transfer request; and
d) second processing to selectively enable said data transfer request to proceed relative to said data file dependent on the qualification of said data transfer request. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
-
25. A method of securing file access operations by a client computer system made with respect to a client accessible file data store, said method comprising the steps of:
-
a) intercepting, by a first program executing on a client computer system, file operation requests issued by a second program, as executing on said client computer system, wherein said file operation requests are issued with respect to files stored in a filesystem accessible by said client computer system;
b) determining, by said first program relative to a predetermined file operation request, authentication data for said second program, wherein said authentication data includes user and process identification data and a representation of said predetermined file operation request; and
c) enabling, by a security appliance responsive to said authentication data, said predetermined file operation request with respect to a file identified by said predetermined file operation request, wherein said enabling step is dependent on qualification, by said security appliance, of said authentication data against policy data defining operation permissions relative to said file. - View Dependent Claims (26, 27, 28, 29)
-
-
30. A security appliance for securing access by client computer systems to persistently stored data files, said security appliance comprising:
-
a) a processor coupleable to a client computer system to receive an access request message, wherein said access request message includes authentication data and an identification of a file operation directed to an identified data file stored in a persistent data file store; and
b) a policy data store, accessible by said processor, providing for the storage of predetermined file operation qualifiers applicable to data files present in said persistent data file store, wherein said policy data store is maintained secure by said processor with respect to said client computer system, and wherein said processor is operative to selectively enable said file operation dependent on an evaluation of said predetermined file operation qualifiers with respect to said access request message. - View Dependent Claims (31, 32, 33, 34, 35)
-
Specification